The FAT File System
CSC 414
Objectives



Understand the structure and components of the FAT
(12/16/32) File Systems
Understand what happens when a file is created, deleted,
moved, etc.
Understand what forensic tools show you about the FAT
file system and why.
First Some Basics




Common Integral Data Types
Little Endian vs. Big Endian
ASCII/Hex/Decimal/Binary/Unicode
MS DOS Date/Time Format
Common Integral Data Types
Bits Bytes
Name
Range
Byte or octet
Signed: −128 to +127
Unsigned: 0 to +255
16 2
word
Signed: −32,768 to +32,767
Unsigned: 0 to +65,535
32 4
doubleword
(dword) or long
Signed: −2,147,483,648 to +2,147,483,647
Unsigned: 0 to +4,294,967,295
64 8
quadruple word
(qword) or
longlong
Signed: −9,223,372,036,854,775,808 to
+9,223,372,036,854,775,807
Unsigned: 0 to +18,446,744,073,709,551,615
n
n-bit integer
Signed: − 2n − 1 to 2n − 1 − 1
Unsigned: 0 to 2n − 1
8
1
n
Note: different hardware architectures support and use different length integer data types.
The above is only intended for the X86 (Intel) platform.
Little Endian vs. Big Endian



Little Endian = the first byte of an integer is the one of
lowest value, the last byte the one of highest value. So
we read the bytes in the reverse order that we see them
in a HEX Editor.
Big Endian = the first byte of an integer is the one of
highest value, the last byte the one of the lowest value.
So we read the bytes in the order you see them in a HEX
Editor.
When looking at “Signed Integers”, any multi-byte HEX
value starting with the first HEX digit 8-F is a negative
value. Any starting with 0-7 as the first digit is a positive
value.
ASCII/Hex/Decimal/Binary/Unicode



Look at .XLS table of ASCII and Extended ASCII
characters.
Make it easy on yourself when converting from one to the
other…USE A CALCULATOR!
When using the Windows Calculator, leading 0 digits do
not show in Hex, Binary or Decimal.


i.e. 8 Decimal = 00001000 Binary
Shows in Calculator as 1000
MS DOS Date/Time Format
Format/Type
Concept
June 14, 2010 21:17:14
in this format
Used by
MS DOS Date
& Time (4 bytes)
Bits Meaning 27 AA CE 3C
0 – 4 Seconds divided by 2
5 – 10 Minutes 0 – 59
11 – 15 Hours 0 – 23
16 – 20 Days 1 – 31
21 – 24 Months (01 = January
02 = February etc.)
25 – 31 Years since 1980
27 AA CE 3C
In Binary:
00111100 11001110
10101010 00100111
FAT12
FAT16
FAT32
= 30 (years since
1980);6;14;21;17;7
(multiplied by 2 to
get 14)
FAT (12/16/32)





Boot Record (boot sector plus any additional reserved
sectors)
File Allocation Table 1
File Allocation Table 2
Root Directory
Data Area (divided into clusters, starting with Cluster #2)

In FAT32, the root directory is part of the data area.
Boot Sector (FAT 12/16)
BIOS Parameter Block (BPB) FAT12/16
Boot Sector (FAT32)
BIOS Parameter Block (BPB) FAT32
FSInfo Sector (FAT32 only)



The FSInfo sector immediately follows the first sector, containing the
BIOS Parameter Block, on a FAT32 partition.
The FAT32 boot record is made up of these two sectors and one
more reserved sector, though this 3rd sector is not used for
anything, that immediately follows the FSInfo sector.
A backup copy of the three sectors that make up the FAT32 boot
record exists and is usually located at sector 6 of the partition.
Note: with everything you know about FAT boot sectors at this point you should
be able to manually search a disk for lost FAT boot records (i.e. for “MS” (4Dh
53h) at sector offset 03h.
File Allocation Tables (FAT)






2 (supposedly identical) copies
Copy 1 immediately follows the boot record
Copy 2 immediately follows copy 1
1st entry identifies type of disk (i.e. fixed or removable)
2nd entry identifies whether Chkdsk is set to be run or not.
All other entries either point to the next cluster in a file (NN),
identify the end of the file (FF), identify a bad cluster (F7), or
identify the cluster as being free (00).
File Allocation Tables (FAT)
File Allocation Table (FAT12)
FAT12 – entries are 12 bits long (little endian)
More complicated and harder to visually identify than FAT16 or FAT32,
but Runtime Software’s Disk Explorer for FAT does a great job of interpretation!
FF8
FFF
FFF
004
005
006
007
008
009
00A
00B
00C
00D
00E
00F
010
011
012
013
014
015
FFF
017…
FFF = eof
File Allocation Table (FAT32)
FAT32 – entries are 4 bytes (32 bits) long (little endian)
0F FF FF F8 = fixed
FF FF FF FF
0F FF FF FF = eof
00 00 00 00 04 = 4
00 00 00 05 = 5
00 00 00 06 = 6
00 00 00 07 = 7
00 00 00 08 = 8
0F FF FF FF = eof
00 00 00 00 = free
00 00 00 00
0F FF FF 0F = eof
Notice the pattern…
F8 = fixed media
F0 = removable
Very easy to visually
identify on disk.
FAT Directory Entries (basic)
Filename, Ext, Attributes, Uppercase/LFN/lowercase, Create time, fine resolution: 10ms units, values from 0 to 199, Creation
Time/Date, Accessed Date, Higher 2 bytes starting Cluster, Modified Time/Date, Lower 2 bytes starting cluster number, File Size


32 bytes in length
Subdirectories always have “.” and “..” as the first two entries
Note: Knowing the above, you should be able to search a disk for lost
directory entries
FAT Directory Entries (basic)
00100000 = 0x20
FAT Directory Entries (VFAT/LFN)
FAT Directory Entries (VFAT/LFN)
LFN Sequence # (bit 6 on for last LFN entry in name – makes the 13th entry “4D” instead of “0D”
Filename in Unicode
Attribute – always “0F” for LFN entry
Checksum of DOS filename
Data Area



FAT 12/16 – Files or Sub-Folders start at “Cluster 2”, the
first cluster available for data
On a DOS bootable FAT partition, io.sys must be located at
Cluster 2
FAT 32 – The Root Directory starts at Cluster 2. Files/SubFolders start after that.
FAT File System Operations - Demo

We will now take a look at a FAT file system and what
actually happens on your disk when you perform normal
file operations, as seen by WinHex and other forensic
tools:





Create a file/folder
Rename a file/folder
Move a file/folder
Delete a file/folder
How file/folder fragmentation occurs and what it looks like
Questions???

Use the discussion board, as usual…